You are an administrator of a system. After you find out your system is compromised, you find a malware binary left in the system. As you were curious about the malware, you run the program. As usual, the malware just terminate without doing anything.
Can you figure out how to run the malware, so that it would do malicious activities?
Let's say the following code is the malware's source code.
#include <time.h>#include <stdio.h>int main(void){ time_t t = time(NULL); struct tm now = *localtime(&t); //printf("%d %d %d\n", now.tm_mon, now.tm_mday, now.tm_wday); // http://www.cplusplus.com/reference/ctime/tm/ // now.tm_wday: Sunday=0, Monday=1, Tuesday=2, Wednesday=3, Thursday=4, Friday=5, Saturday=6 if( now.tm_wday == 5 && now.tm_mday == 13 ) { // the 13th of Friday printf("Malicious\n"); /* do not comment out this. system("rm ~/* -rf"); */ } else { printf("Hello, World!\n"); } return 0;}The predicate (if statement) decides whether the program will execute the "malicious" branch (please do not comment out) or the "hello, world!" branch. A closer look to the predicate tells you that it will only be malicious when it is the 13th of Friday.
Your goal is to find out the condition, the 13th of Friday, by tracing the program.
In this example, your answer is "The program will expose malicious behavior on the 13th of Friday."
In addition, you are asked to created a Pin tool to make show how to execute the malicious code, without actually harming your system. Specifically, you need to trick the program that the condition (the 13th of Friday) has met. Note that this program does not even take an input from you. It simply calls time() function to get the current time. You may set the current system time to the 13th of Friday. However, this is not we want to do in this example. Why? Consider a malware with multiple malicious code blocks guarded by different predicate conditions. In such case, you may need to run multiple times. Moreover, malware may rely on something that you can't change. For example, it may retrieve date from other computers through the Internet.
Hence, in this example, we want to intercept the time() function and let it return the 13th of Friday.
Since the example is using time() which is a libc function, we can intercept it even without Pin. Specifically, you can create a dynamic library and implement time(), and use LD_PRELOAD to load your library before the libc library, overriding the time(). Once you do, the malware program will call your version of time().
This is particularly useful in practice, but you are not allowed to use this trick. Please read the next paragraph.
Unfortunately no. The real assignment would have more challenges. For example, I will not use libc functions in the real assignment. Also, the real assignment will be packed, so that simply applying disassemblers to inspect would be hard. Real world malware are mostly packed.